Archives

Stephen B. Wicker and Stephanie Santoso, The Breakdown of a Paradigm – Cellular Regime Change and the Death of the Wiretap

Comment by: Susan Landau

PLSC 2013

Workshop draft abstract:

The coming change from a centralized cellular network to an end-to-end architecture imperils both law enforcement surveillance and the content/context model embodied in ECPA and CALEA. This paper explores the nature of the new technology, and suggests possible models for future legislation.

Traditional cellular is a wireless add-on to a network, the public switched telephone network (PSTN), whose basic architecture is highly centralized. The endpoints – the handsets – have virtually no control over how calls are processed. This centralized architecture has enabled wiretaps, pen registers, and trap and trace devices, all dependent on the handset passing content and context information to the network for processing. This centralized architecture is in sharp contrast to the “end-to-end” architecture exemplified by the Internet. The network fabric of the Internet contains routers that generally operate only at the network, data link, and physical layer. Higher layer activity, from transport up to the application layer, resides in the endpoints. Barbara van Schewick [1] and others have shown that this end-to-end approach provides better performance, is more economical, and greatly spurs innovation relative to centralized architectures. There is thus strong pressure for centralized networks to move towards an end-to-end approach.

Voice-over-IP represents an initial movement in this direction. Though still centrally controlled, VoIP telephony promised to free voice and data traffic from having to follow the same network path. CALEA reigned in this process by requiring a single point (usually in the form of a session border controller) that facilitates the creation of a duplicate packet stream that can be routed to law enforcement. Law enforcement is thus able to “maintain technological capabilities commensurate with existing statutory authority” [2]. Universal Mobile Access (UMA) is a more ominous development. UMA allows cellular handsets to offload data and voice to unlicensed WiFi channels when such channels are available. Once again, a central point of focus – in this case, the network controller – preserves data collection capabilities.

The endpoint of the cellular technology trajectory is becoming clear. A combination of unlicensed spectrum and open-source development will result in a commons-based cellular system with an end-to-end architecture. This paper considers what such a cellular network might look like. Incorporating the work of Elinor Ostrom [3] and the Open Source revolution [4], this paper explores how network routing and handset location algorithms can be developed in such a manner that wiretaps, pen registers, and trap and trace devices will be completely obsolete. In particular, the paper considers networks that have no concept of dialing, and have no centralized location databases. Having established a general model for a commons-based cellular system, possible solutions for limited, yet effective support for law enforcement data collection will be considered that acknowledge the nature of the new technology. Consideration of appropriate alternatives to the content/context distinction will also be provided.

Stephanie K. Pell and Christopher Soghoian, Your Secret Technology’s No Secret Anymore: Will the Changing Economics of Cell Phone Surveillance Cause the Government to “Go Dark?”

Comment by: Susan Landau

PLSC 2013

Workshop draft abstract:

Since the mid-1990s, U.S. law enforcement agencies have used a sophisticated surveillance technology that exploits security flaws in cell phone networks to locate and monitor mobile devices covertly, without requiring assistance from wireless carriers. This Article explores the serious privacy and security issues associated with the American government’s continued exploitation of cell phone network security flaws. It argues that legislative and industry action is needed if only to avoid a single ironic result: the government may unintentionally compromise its ability to conduct standard, carrier-assisted electronic surveillance. Without reform, it is likely that mobile device and software vendors will adopt end-to-end encryption to provide their customers with secure communications, causing wireless communications to go dark to law enforcement’s gaze. Moreover, the U.S. government’s reflexive obfuscation of this surveillance practice facilitates additional harms: enabling foreign espionage and domestic industrial espionage on U.S. soil and encouraging ubiquitous monitoring by private parties.

The U.S. government monitors mobile phones via cell site simulator(s) (CSS) that functionally mimic cell phone towers. CSS exploit a fundamental security flaw in all cellular devices: they cannot authenticate the origin of signals but merely connect to any nearby source whose signal purports to be from a tower operated by a licensed provider. Once a phone erroneously connects to a CSS, its location can be determined, and calls, text messages and data can be intercepted, recorded, redirected, manipulated or blocked.

Law enforcement, intelligence agencies, and the military have presumably used CSS to their advantage: when a target’s phone number is unknown or a mobile device has no GPS chip, they can monitor every phone in a geographic area using briefcase-sized CSS hardware. Moreover, when the government cannot obtain a phone company’s assistance, such as in operations abroad, it can use CSS to conduct surveillance without the carrier’s knowledge.

By intercepting signals directly, CSS circumvent the limited but useful privacy protections offered by commercial third parties. While privacy scholarship and recent Supreme Court jurisprudence often denounce the third party doctrine, this Article argues, counter intuitively, that third party control of data can protect privacy. When compared with warrantless, unmediated government surveillance, third parties can act as gatekeepers with the capacity to challenge government overreach, particularly when market incentives and customer interests align with privacy concerns. These intermediaries can even invoke judicial scrutiny of government surveillance practices. Their efforts can create opportunities for courts to develop new Fourth Amendment doctrine while scrutinizing surveillance practices, such as with the concurring opinions in U.S. v. Jones, and for Congress to regulate these practices by statute.

To date, legal scholarship has failed to consider the effects of CSS both within and outside of the domestic law enforcement context. Indeed, the privacy and security risks associated with CSS cannot be cabined by the Fourth Amendment or statute, for the problems extend beyond America’s borders. Western democracies no longer have a monopoly over access to CSS technology. There is a robust market in CSS technologies, and several vendors around the world sell to any government or individual who can pay their price.

Surveillance is also increasingly ubiquitous. Researchers have created low-cost, easy to construct CSS. For under $2,500, tech-savvy criminals can purchase offthe- shelf equipment to build their own CSS. Less robust “passive” interception of nearby calls is also possible by modifying a widely available $20 cell phone. Wiretapping is no longer the exclusive province of governments, but is equally available to private investigators, identity thieves, and industrial spies.

Despite this significant technological change, the U.S. government continues to shield information about its own use of CSS, ostensibly to protect such use in the future. This opacity comes at a cost: treating CSS as solely a “sources and methods” protection issue suppresses public debate and education about the security vulnerabilities in our cell phone networks. That trade-off might have been reasonable when access to CSS was privileged and expensive, but the rapid democratization of surveillance is changing the balance of privacy and security equities.

U.S. government use of CSS accentuates the fundamental tension between government surveillance capabilities and the security of networks. When Congress has grappled with this conflict in the past, it gave priority to surveillance capabilities. Today, however, the same threat environment that informs ongoing cyber security legislative efforts mandates that any solution crafted to cabin the harms of CSS recognize the primacy of network security.

For years, legal wiretapping was straightforward: the officer doing the intercept connected a tape recorder or the like to a single pair of wires. By the 1990s, though, the changing structure of telecommunications—there was no longer just “Ma Bell” to talk to—and new technologies such as ISDN and cellular telephony made life more complicated. Simple technologies would no longer suffice. In response, Congress passed the Communications Assistance for Law Enforcement Act (CALEA)5, which mandated a standardized lawful intercept interface on all local phone switches. Technology has continued to progress, and in the face of new forms of communication—Skype, voice chat during multiplayer online games, many forms of instant messaging, etc.—law enforcement is again experiencing problems. The FBI has called this “Going Dark”:6 their loss of access to suspects’ communication. According to news reports, they want changes to the wiretap laws to require a CALEA-­‐like interface in Internet software.7

CALEA, though, has its own issues: it is complex software specifically intended to create a security hole—eavesdropping capability—in the already-­‐complex environment of a phone switch. Warnings of danger have indeed come to pass, most famously in the so-­‐called “Athens Affair”, where someone hacked into a Vodaphone Greece switch and used the built-­‐in lawful intercept mechanism to listen to the cell phone calls of high Greek officials, up to and including the Prime Minister.8 In an earlier work, we showed why extending CALEA to the Internet would create very serious problems, including very specifically creating many new security problems.

We proposed an alternative: legalized hacking, relying on the very large store of unintentional, naturally occurring existing vulnerabilities in software to obtain access to communications. Relying on vulnerabilities and hacking, though, poses a large set of legal and policy questions. Among these are:

Will it create disincentives to patching?

Will there be a negative effect on innovation? (Lessons from the so-­‐called

“Crypto Wars” of the 1990s are instructive here.)

Will law enforcement’s participation in vulnerabilities purchases skew the market?

Should law enforcement even be participating in a market where many of the sellers and other buyers are themselves criminals?

What happens if these tools are captured and repurposed by miscreants?

How does the Fourth Amendment affect use of these tools? In particular, since they can grant full access to a computer and not just to communications, should there be statutory restrictions similar to those in the Wiretap Act?10

Is the probability of success from such an approach too low for it to be useful?

There are also logistical and organizational concerns. Local and even state law enforcement agencies are unlikely to have the technical sophistication to develop exploits and the legally acceptable tools to use them. This in turn implies a greater role for the FBI and its labs. Is this intrusion of Federal authorities into local policing acceptable? Will this turn the FBI more into an intelligence agency?

1 Steven M. Bellovin is a professor of computer science at Columbia University.

2 Matt Blaze is an associate professor of computer science at the University of Pennsylvania.

3 Sandy Clark is a Ph.D. student in computer science at the University of Pennsylvania.